STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-208880r603263_rule
V-208880
SRG-OS-000480
OL6-00-000161
CAT II
10
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf":
max_log_file_action = [ACTION]
Possible values for [ACTION] are described in the "auditd.conf" man page. These include:
"ignore"
"syslog"
"suspend"
"rotate"
"keep_logs"
Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size:
# grep max_log_file_action /etc/audit/auditd.conf
max_log_file_action = rotate
If the "keep_logs" option is configured for the "max_log_file_action" line in "/etc/audit/auditd.conf" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding.
If the system has not been properly set up to rotate audit logs, this is a finding.
V-208880
False
OL6-00-000161
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size:
# grep max_log_file_action /etc/audit/auditd.conf
max_log_file_action = rotate
If the "keep_logs" option is configured for the "max_log_file_action" line in "/etc/audit/auditd.conf" and an alternate process is in place to ensure audit data does not overwhelm local audit storage, this is not a finding.
If the system has not been properly set up to rotate audit logs, this is a finding.
M
2928